Handle malloc failures in fuzzing code
Avoid misdiagnosis in OOM situations.
diff --git a/fuzz/fuzz.c b/fuzz/fuzz.c
index b5dfa18..212136a 100644
--- a/fuzz/fuzz.c
+++ b/fuzz/fuzz.c
@@ -211,6 +211,8 @@
if (xmlHashLookup(fuzzData.entities, (xmlChar *)url) == NULL) {
entityInfo = xmlMalloc(sizeof(xmlFuzzEntityInfo));
+ if (entityInfo == NULL)
+ break;
entityInfo->data = entity;
entityInfo->size = entitySize;
@@ -271,6 +273,10 @@
input->filename = NULL;
input->buf = xmlParserInputBufferCreateMem(entity->data, entity->size,
XML_CHAR_ENCODING_NONE);
+ if (input->buf == NULL) {
+ xmlFreeInputStream(input);
+ return(NULL);
+ }
input->base = input->cur = xmlBufContent(input->buf->buffer);
input->end = input->base + entity->size;
diff --git a/fuzz/xml.c b/fuzz/xml.c
index 97b40b8..f0dcfcc 100644
--- a/fuzz/xml.c
+++ b/fuzz/xml.c
@@ -37,18 +37,14 @@
/* Lower maximum size when processing entities for now. */
maxSize = opts & XML_PARSE_NOENT ? 50000 : 500000;
- if (size > maxSize) {
- xmlFuzzDataCleanup();
- return(0);
- }
+ if (size > maxSize)
+ goto exit;
xmlFuzzReadEntities();
docBuffer = xmlFuzzMainEntity(&docSize);
docUrl = xmlFuzzMainUrl();
- if (docBuffer == NULL) {
- xmlFuzzDataCleanup();
- return(0);
- }
+ if (docBuffer == NULL)
+ goto exit;
/* Pull parser */
@@ -63,6 +59,8 @@
/* Push parser */
ctxt = xmlCreatePushParserCtxt(NULL, NULL, NULL, 0, docUrl);
+ if (ctxt == NULL)
+ goto exit;
xmlCtxtUseOptions(ctxt, opts);
for (consumed = 0; consumed < docSize; consumed += chunkSize) {
@@ -81,6 +79,8 @@
/* Reader */
reader = xmlReaderForMemory(docBuffer, docSize, NULL, NULL, opts);
+ if (reader == NULL)
+ goto exit;
while (xmlTextReaderRead(reader) == 1) {
if (xmlTextReaderNodeType(reader) == XML_ELEMENT_NODE) {
int i, n = xmlTextReaderAttributeCount(reader);
@@ -92,10 +92,8 @@
}
xmlFreeTextReader(reader);
- /* Cleanup */
-
+exit:
xmlFuzzDataCleanup();
-
return(0);
}
